This document will guide you through the installation process for an all-in-one Wazuh Splunk server.
Note
You need root user privileges to run all the commands described below.
These are the two main components in this type of multi-tier server:
- The indexer runs the Splunk engine. It reads forwarded data, parses, indexes and stores it as events that contain alert data generated by the Wazuh manager and sent by the Forwarder instance.
- The forwarder reads local data from the Wazuh manager and the Wazuh API instance and sends this data to the indexer.
Note
Splunk is not open source software, and it requires a registered user and license in order to work. You can also use a free trial license.
This guide installs and configures Splunk |SPLUNK_LATEST_MINOR|. If you intend to configure another version of Splunk, such as 8.1, change the Splunk version number in the requests for the configuration files and the Wazuh app for Splunk. For example:
# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-|SPLUNK_LATEST_MINOR|/setup/indexer/indexes.confBecomes
# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-8.1/setup/indexer/indexes.conf
Warning
This section will install Splunk using the all-in-one deployment schema typically suitable for testing. Other installation options are:
This component receives the data flow streamed by a forwarder and stores it in a Splunk index.
Download the Splunk package from its official website. The versions of Splunk compatible with Wazuh and the Wazuh app for Splunk can be found :ref:`here <wazuh_and_splunk_app>`.
Install the Splunk package:
For RPM based distributions:
# yum install splunk-enterprise-package.rpmFor Debian/Ubuntu distributions:
# dpkg --install splunk-enterprise-package.deb
Configure
inputs.confandindexes.conf:Create
indexes.conf:# curl -so /opt/splunk/etc/system/local/indexes.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-|SPLUNK_LATEST_MINOR|/setup/indexer/indexes.confCreate
inputs.conf:# curl -so /opt/splunk/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-|SPLUNK_LATEST_MINOR|/setup/indexer/inputs.conf
Ensure Splunk is installed in
/opt/splunkand start the service:# /opt/splunk/bin/splunk startNote
This command will make a Splunk General Terms appear that will have to be accepted, and then, will ask for a series of information such as:
- Administrator name
- Password
.. tabs::
.. group-tab:: Data forwarding with SSL
#. Edit ``/opt/splunk/etc/system/local/inputs.conf`` and add the block below:
.. code-block:: console
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
Where:
- ``serverCert`` is the path to the Splunk default server certificate.
- ``$SPLUNK_HOME`` is the Splunk installation directory. The default directory is ``/opt/splunk``.
- ``sslPassword`` is the password of the certificate. The default is “password”.
#. Restart the Splunk service:
.. code-block:: console
# /opt/splunk/bin/splunk restart
#. **Optional**. If you additionally want the Splunk service to start at boot time, please execute the following command:
.. code-block:: console
# /opt/splunk/bin/splunk enable boot-start
.. group-tab:: Data forwarding without SSL
#. Open Splunk in your preferred browser.
#. Navigate to **Settings > Data > Forwarding and receiving**.
.. thumbnail:: /images/splunk-app/1.png
:align: left
:width: 100%
#. Select “Configure receiving”
.. thumbnail:: /images/splunk-app/2.png
:align: left
:width: 100%
#. Add an unused port as a new receiving port and save it.
.. thumbnail:: /images/splunk-app/3.png
:align: left
:width: 100%
#. Restart the Splunk service.
.. code-block:: console
# /opt/splunk/bin/splunk restart
#. **Optional**. If you additionally want the Splunk service to start at boot time, please execute the following command:
.. code-block:: console
# /opt/splunk/bin/splunk enable boot-start
A Splunk forwarder is required in order to send alerts to the Splunk indexer.
Depending on the type of architecture that you’re installing, the Splunk forwarder is configured differently.
Download the Splunk forwarder package from the official website. The versions of Splunk forwarder compatible with Wazuh and the Wazuh app for Splunk can be found :ref:`here <wazuh_and_splunk_app>`.
Install the Splunk forwarder package on the Wazuh manager:
.. tabs:: .. group-tab:: Yum .. code-block:: console # yum install splunkforwarder-package.rpm .. group-tab:: APT .. code-block:: console # dpkg --install splunkforwarder-package.deb
This section explains how to configure the Splunk forwarder to send alerts to the Splunk indexer component.
props.conf: In order to consume data inputs, Splunk needs to specify what kind of format it will handle. The props.conf file specifies the data format Splunk can handle.inputs.conf: The Splunk forwarder needs this file to read data from an input. In this case, the Wazuh alerts file.
Download and insert the
props.conftemplate:# curl -so /opt/splunkforwarder/etc/system/local/props.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-|SPLUNK_LATEST_MINOR|/setup/forwarder/props.confDownload and insert the
inputs.conftemplate:# curl -so /opt/splunkforwarder/etc/system/local/inputs.conf https://raw.githubusercontent.com/wazuh/wazuh-splunk/v|WAZUH_SPLUNK_CURRENT|-|SPLUNK_LATEST_MINOR|/setup/forwarder/inputs.confSet the Wazuh manager hostname:
# sed -i "s:MANAGER_HOSTNAME:$(hostname):g" /opt/splunkforwarder/etc/system/local/inputs.conf
.. tabs::
.. group-tab:: Data forwarding with SSL
#. Create the file outputs.conf:
.. code-block:: console
# touch /opt/splunkforwarder/etc/system/local/outputs.conf
#. Fill it with the content below:
.. code-block:: console
:emphasize-lines: 5, 10
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = <INDEXER_IP>:9997
clientCert = /opt/splunkforwarder/etc/auth/server.pem
sslRootCAPath = /opt/splunkforwarder/etc/auth/ca.pem
sslPassword = password
[tcpout-server://<INDEXER_IP>:9997]
- ``<INDEXER_IP>`` is the IP address of the Splunk indexer.
#. Start the Splunk forwarder service:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk start
.. note::
This command will make a Splunk forwarder General Terms appear that will have to be accepted, and then, will ask for a series of information such as:
- Administrator name
- Password
.. Warning::
If you get an error message about port 8089 already being in use, you can change it to use a different one.
After installing the Splunk forwarder, incoming data should appear in the designated Indexer.
#. **Optional**. If you want the Splunk forwarder service to start at boot time, please execute the following command:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk enable boot-start
.. group-tab:: Data forwarding without SSL
#. Start the Splunk forwarder:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk start
.. note::
This command will make a Splunk forwarder General Terms appear that will have to be accepted, and then, will ask for a series of information such as:
- Administrator name
- Password
.. warning::
If you get an error message about port ``8089`` already being in use, you will be prompted to change it to use a different one.
#. Point the Splunk forwarder output to Wazuh Splunk indexer with the following command:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk add forward-server <INDEXER_IP>:<INDEXER_PORT>
This command will prompt for the Splunk indexer username and password.
- ``<INDEXER_IP>`` is the IP address of the Splunk Indexer.
- ``<INDEXER_PORT>`` is the port of the Splunk indexer earlier configured in receiving. The default value is 9997.
#. Restart the Splunk Forwarder service:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk restart
.. warning::
If you get an error message about port ``8089`` already being in use, you can change it to use a different one.
After installing the Splunk Forwarder, incoming data should appear in the designated Indexer.
#. Optional. If you additionally want the Splunk forwarder service to start at boot time, please execute the following command:
.. code-block:: console
# /opt/splunkforwarder/bin/splunk enable boot-start
Now that you’ve finished installing Splunk using the all-in-one architecture, you can proceed with the next step and :doc:`install the Wazuh app for Splunk <splunk-app>`.
- You can find useful Splunk CLI commands in the official documentation.